Talos Vulnerability Report

TALOS-2018-0687

Anker Roav A1 Dashcam HTTP Path Overflow Code Execution Vulnerability

May 13, 2019

CVE Number

CVE-2018-4016

Summary

An exploitable code execution vulnerability exists in the URL-parsing functionality of the Roav A1 Dashcam running version "RoavA1SWV1.9.” A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

Tested Versions

Anker Roav A1 Dashcam RoavA1SWV1.9

Product URLs

CVSSv3 Score

8.0 - CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-121: Stack-based Buffer Overflow

Details

The Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that the users can toggle settings and download videos from the dashcam, along with a host of other features. In order to do this, users must first enable the “Wi-Fi AP” setting manually on the dashcam, and then connect to the “RoavA1” SSID, with the default password of “goroavcam.”

From here, the app interacts mainly with the dashcam via an eCOS webserver running on port 80 that requires no authentication. The standard HTTP POST, GET, and DELETE requests can be used to upload, download, or delete videos and pictures from the dashcam, but there’s also a separate interface used for configuration. When requesting any URL, a set of commands is accessed by providing the following HTTP query string: ?custom=1&cmd=<0000-9999>. It should be noted that only a subset of commands are implemented, the list of which can be found by accessing http://192.168.1.254/?custom=1&cmd=3012.

For the purposes of this writeup, we will not even be discussing any of the commands, but rather the file path of the HTTP request. When sending an HTTP GET request with a large file name (bigger than 0xA0), a function is called (most likely a derivative or earlier version of cyg_mtab_lookup()) which behaves like an unbounded strcpy. This function copies the path of the request into a size 0x80 buffer, stored on the top of the stack. The stack layout [1] is shown below: